payments and security slides (1,81 mb)
TRANSCRIPT
Solvay Business School
SEMINAIRE DE TECHNOLOGIES DE L’INFORMATION ET DE
LA COMMUNICATION
UNIVERSITELIBRE DEBRUXELLES
eBusiness – Payments & SecurityeBusiness – Payments & SecurityPascale Vande VeldePascale Vande Velde
GEST 116GEST 116
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
2
Technologies de l’information et deLa communication
Introduction – Part I
Introduction – Part II
Supply chain management
Payments & Security
Content of eBusiness courseContent of eBusiness course
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
3
Technologies de l’information et deLa communication
Introduction to epayments
Network security principles and concepts
B2C ePayments solutions
B2B ePayments solutions
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
4
Technologies de l’information et deLa communication
Generic Payment ProcessGeneric Payment Process
2. Customer’s payment request or
instruction transmitted by the intermediary to the
vendor’s bank
1. Payment request or instruction transmitted by the customer to an intermediary
Intermediary Vendor’s bank
1’. Payment request or instruction transmitted by the customer
directly to the bank
After verification of the customer solvability, the transaction is sent to a
clearing entity
Clearing
Intra-banks
Inter-banks
International
Customer
Settlement when clearing achieved
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
5
Technologies de l’information et deLa communication
The payments market by instrument in BelgiumThe payments market by instrument in Belgium
Volumes(mio transactions)
Value(EUR bio)
1995 1999
Distr.
1999
1995 1999
Distr.
1999
Cheques 117,1 80,2 -31,5% 6% 305 98 -67,9% 0,6%
Paper-based transfers 447,9 412,1 -7,99% 30% 9.054 2.184 -75,9% 14%
Electronic transfers 220,6 310,9 +40,9%
22% 910 13.002 +1328%
85%
Credit cards 32,2 48,7 +51,2%
4% 3 5 +66,7%
NA
Debit cards 185,9 354,3 +90,6%
25% 9 18 +100% 0,1%
Direct Debit 104,5 142,3 +36,2%
10% 24 41 +70,8%
0,2%
Electronic Money 0,7 45,5 +6400%
3% NA 0,2 NA NA
Total 1.108,9 1.394,0 +25,7%
100%
10.305
15.348 +48,9%
100%* The data are very small relative to other relevant data in the table. Source : ECB Blue Book – June 2001
Co
st o
f p
aym
en
t
However, there is a significant shift from paper based towards electronic transfers and use of debit and credit cards has significantly intensified
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
6
Technologies de l’information et deLa communication
Internet is by far the cheapest way to process a Internet is by far the cheapest way to process a paymentpayment
Payment Unit Costs in Europe: € per transaction:
– Paper-based transfer: 1.24 (still 30% of all payments in volumes)
– Direct Debit modification: 0.74 to 4.96 (opening, changes, cancellation, …)
– Phone: 0.50– ATM: 0.27– Online (PC): 0.23– Internet: 0.10
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
7
Technologies de l’information et deLa communication
Significant differences between US and EuropeSignificant differences between US and Europe
US Consumer Payments in 1998
(% Share of Transactions)
US Consumer Payments in 2005
(% Share of Transactions)
100% ~$6.8 Trillion 100% ~$8.8 Trillion
Source: Nilson Reports; Accenture analysis
US Consumer Payments in 2010
(% Share of Transactions)
100% ~$4.5 Trillion
Credit Cards
Electronic
Checks
Cash
5122
20
4
Debit Cards
3
3112
26
10
19Credit Cards
Electronic
Checks
Cash
Debit Cards
22
17
30
14
16
Credit Cards
Electronic
Checks
Cash
Debit Cards
Checks are intensively used in the US while transfers and direct debits are hardly used
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
8
Technologies de l’information et deLa communication
Electronic billing is a promising solution in the USAElectronic billing is a promising solution in the USA
1999 2000 2001 2002 2003 2004
0.9 6.7 84
446
1,142
1,962
EBPP Households (million) 0.6 6.0 20.7
Recurring Household Bills Payable Online (%) 8 52 66
Percentage of all Bills (%) 0.04 3.0 13.1
13.1
61
7.6
0.1
5
0.01
2.1
28
0.6
US Retail Bills Presented & Paid Online
(million)
Consumers able to view &
pay at least 60% of all their recurring bills at
one site
Source: IDC; Jupiter Communications; Data Monitor; Forrester Research; Tower Group; Gartner Group; Accenture analysis
But the situation is different in Europe: actually, in Belgium, 80% of people use direct debit* to pay their bills. Consequently, billing presentation is not so important. e-Billing/invoice used in the US is an obsolete system compared to the system in application in Europe
*Domiciliation
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
9
Technologies de l’information et deLa communication
Billing ProcessBilling Process
Electronic Bill Presentment and Payment Overview
Billers
Internet Website
1. Customer uses Internet to access websites where
bills reside
Customer’s Bank
Biller’s Bank
3. Customer authorizes
payment through website
4. Payment is sent electronically
(ACH*, RPS, etc.) from customer
bank to biller bank
5. Remittance and payment information is sent to biller for posting
2. Billers send electronic bills to
appropriate site(s)
EBPP includes bill presentment and payment
*Automated Clearing Housed: Clearing method including netting, and typical to the U.S.
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
10
Technologies de l’information et deLa communication
Presentment options:• White labeled: direct billing through
ASP or presentment via a third party CSP• TTP branded: on the TTP’s Portal
Payment options:1. For the B2C and SME
• eBanking• Credit cards• E-mail based payments (paypall, x.com)
2. For corporates• Regular payment systems• International• Netting of payments
EBPP Multi-channel presentation and delivery EBPP Multi-channel presentation and delivery
eBanking
Other Portal
Consumer
SME
Corporate
Client subscription DB with:• delivery preferences:
• Physical delivery• WAP & PDA• eBanking • TTP Portal• Other Portal• [email protected] • Other eMail
• Notification preferences:• SMS• eMail• Portal Alert
Printing & physical delivery
SmallEnterprises &independents
Large billers
Mediumenterprises
FTP/XML/EDIFACT
Online invoice templates
FTP/XML/EDIFACT
Third party CSPBillers
FTP/XML/EDIFACT
FTP/XML/EDIFACT
GUI for view and pay+ eMail with bills
+ notification
GUI for view and pay . + integration into standard accounting packages
+ bill analysis features
Consumer
FTP/XML/EDIFACT+ integration into ERP systems
+ notification to responsible A/P
Trusted Third Party (TTP) Trusted Third Party (TTP) EBPP ConsolidatorEBPP Consolidator
Customers
Potential Value Added Services by TTP:1. Factoring2. Intra-corporate and inter-
corporate Netting3. Cash Management (incl. FX)4. Trade Finance5. Trust services
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
11
Technologies de l’information et deLa communication
Introduction to epayments
Network security principles and concepts
B2C ePayments solutions
B2B ePayments solutions
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
12
Technologies de l’information et deLa communication
Need Description
Integrity Data is not changed in an unauthorized way
Confidentiality Transactions and communications are kept private
Identification Our customers are identified
Non-Repudiation An individual cannot deny that a transaction was made
Six security principlesSix security principles
Digital security Digital security data data must address several critical needsmust address several critical needs
Authentication Transaction participants are known
Authorization Transaction participants are authorized
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
13
Technologies de l’information et deLa communication
AuthenticationAuthentication
Entity One (Business)
ApplicationServer
Web ServerFirewall
Entity Two (User)End User PC
User ID &Password
AuthenticationServer
AuthenticationClient
Internet
Entity One (Business)
ApplicationServer
Web ServerFirewall
Entity Two (User)End User PC
AuthenticationServer
AuthenticationClient
Internet
Yes/NoResponse
• Two components necessary : authentication server and authentication client
• The authentication client will prompt the user to enter his identifier and shared secret and will pass the information to the authentication server
• The authentication server will then confirm that the identifier is valid, and that the shared secret matches the identifier.
• The authentication server will then pass a yes/no response back to the autentication client. The user will then be granted or denied access to the application
Authentication flow
Authentication response
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
14
Technologies de l’information et deLa communication
EncryptionEncryption
Firewall
InternetEntity One (Business)
Entity Two (User)
Public Key Storage
Private Key
ApplicationServer
Web Server
End User PC
AuthenticationServer
AuthenticationClient
Firewall
InternetEntity One (Business)
Entity Two (User)
Public Key Storage
ApplicationServer
Web Server
End User PC
AuthenticationServer
AuthenticationClient
Private Key
Encrypt with user’sprivate digitalsignature key
Decrypt with user’spublic digitalsignature key
Encryption architecture
Message encryption process
• Cryptography services are provided with a Public Key Infrastructure (PKI)
• In public key encryption, all entities will be issued public keys
• The private key is generated via an algorithm based on the public key and all public keys are stored in a central storage location
• The distribution of public keys and maintenance of central storage for the public keys establishes the public key infrastructure for ecommerce transactions
• When the end user wants to send a message, he generates a private key based on its public key
• He encrypts the message using his private digital signature key
• When the business application server receives the transaction, it looks up the end user’s public key from the central storage location and decrypts the message with the key
• The business application server can decrypt the message because he has the corresponding public key
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
15
Technologies de l’information et deLa communication
Digital signaturesDigital signatures
011010111011
Firewall
InternetEntity One (Business)
Entity Two (User)
Public Key Storage
Encrypts message hashwith user’s private key
ApplicationServer
Web Server
End User PC
AuthenticationServer
AuthenticationClient
Private Key
Computesmessage hash
X= [(y)*]
Certificate Authority
End User Signature
CertificateDirectory
Private Key
FirewallEntity One (Business)
Entity Two (User)
Public Key Storage
ApplicationServer
Web Server
End User PC
AuthenticationServer
AuthenticationClient
Private Key
Certificate Authority
End User Signature
UserCertificate
Internet
Private Key
CertificateDirectory
Digitally signing a message
Sending a digitally signed message
• A digital signature is an encrypted message hash
• A message hash is a mathematical formula that is run against a message to create a unique number. This mathematical formula is well known to all participants in a transaction
• When the message hash is encrypted with the user’s private key, it becomes a digital signature
• A certificate is a digital document that binds a public key to an entity. In their simplest form, certificates contain an entity’s name and public key
• When signing a message with a digital signature, an entity will also send its certificate containing its identity and public key
• Certificates are issued and maintained by a Certificate Authority (CA). This CA is a secure, trusted entity who will issue certificates to authorized entities only and who will verify that a certificate is valid
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
16
Technologies de l’information et deLa communication
RecipientSender
Trusted third party
SecurityServices
Certificate Authority(CA)
CertificateRepository
Certificatesand Revocation
Lists (CRLs)
Certificatesand Revocation
Lists (CRLs)
Digital signatures/2Digital signatures/2
** If recipient does not trust CA, they can find a certificate attesting to identity of ICA, and possible construct a chain of certificates terminating at trusted root CA (Source: Digital Signature Trust; Accenture analysis)
•Sender applies to Certificate Authority (CA) as trusted third party*
•CA verifies sender’s identity, issues certificate (with public key data) and publishes certificate in repository
•Sender creates and signs message and attaches certificate
•Recipient trusts CA, certificate and contents, including public key**
•Recipient extracts public key to verify sender signature
•Recipient verifies identity and integrity
Digital Certificate
Digital Certificate Industry Standard: name, public key, expiration date, CA
name, CA signature, CA signature algorithm identifier, certificate version,
and serial number
* In practice the entity that identified the users is called a Registration Authority
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
17
Technologies de l’information et deLa communication
Validating digital signaturesValidating digital signatures
FirewallEntity One (Business)
Entity Two (User)
Public Key Storage
ApplicationServer
Web Server
End User PC
AuthenticationServer
AuthenticationClient
Private Key
Certificate Authority
End User Signature
UserCertificate
Internet
Private Key
CertificateDirectory
FirewallEntity One (Business)
Entity Two (User)
Public Key Storage
ApplicationServer
Web Server
End User PC
AuthenticationServer
AuthenticationClient
Private Key
Certificate Authority
End User Signature
UserCertificate
Internet
Private Key
CertificateDirectory
Validating a digitally signed message
Validating a certificate
• The business will receive the message and the end user’s certificate. However, the business has no way of knowing that the certificate is valid; i.e. that it contains the correct name and public key information
• Therefore the business will send the end user’s certificate to the CA
• The CA maintains a directory of authorized entities and their public keys. When the CA receives the end user’s certificate, it will confirm or deny the validity of the certificate and send it back to the business
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
18
Technologies de l’information et deLa communication
Digital signature – Recent legislationDigital signature – Recent legislation
European directive (December 13, 1999) on digital signatures Belgian law (October 20, 2000 and July 9, 2001)
– A signature can consist of a set of electronic data which can be associated to a well defined person and which certifies the integrity of the content
– Legally binding of a digitally signed document
The law targets mainly the digital signatures based on assymmetric cryptography and combined with a digital certificate (PKI)
Legislation defines role and responsibilities of the Certification Authority– Approval
– Control
CA role consists of certifying the link between a person and its public key CA liability : a CA which delivers a qualified certificate is liable for any damages
caused to anyone who has trusted the certificate – In practice, purpose is to limit carelessness (not timely revocation of a certificate…)
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
19
Technologies de l’information et deLa communication
Providing non repudiationProviding non repudiation
FirewallEntity One (Business)
Entity Two (User)
Public Key Storage
ApplicationServer
Web Server
End User PC
AuthenticationServer
AuthenticationClient
Private Key
Certificate Authority
End User Signature
Internet
011010111011
Decrypts message hashwith user’s public key
Re-computesmessage hash
X= [(y)*]011010111011
Messagehashesmatch
Private Key
CertificateDirectory
Providing non repudiation
• The business now knows that the certificate contains the correct public key for the end user. The business will then decrypt the message hash using that public key. The business will then rerun the message hash using the known mathematical formula. If the decrypted message hash matches the message hash which the business just created, then it has been verified that the message was sent by the end user, and that the message was not altered during transmission. Therefore non repudiation for the message is provided
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
20
Technologies de l’information et deLa communication
Transport/Encrypted connectionTransport/Encrypted connection
The TCP/IP (Transmission Control protocol/Internet Protocol) governs the transport and routing of data over the internet
The SSL protocol allows an SSL-enabled server to authenticate itself to an SSL-enabled client, allows the client to authenticate itself to the server, and allows both machines to establish an encrypted connection
SSL protocol addresses security issue of the communication while symmetric and assymmetric encryption addresses security issues related to data transferred
TCP/IP layer
Secure sockets layer (SSL)
HTTPApplication layer
Network layer
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
21
Technologies de l’information et deLa communication
Data encryption - Isabel illustrationData encryption - Isabel illustration
Registration Authority (RA)
Isabel Platform (acting as root
Certification Authority)
Isabel’s network=
Belgian banks network
Isabel Platform (acting as root
Certification Authority)
Isabel’s network=
Belgian banks network
Identification of the clientClient
Public Key (key publicly known)
Public Directory (Yellow pages)
Containsclient data and stores public key
Private Key(key known only to user)
++
Software InterfaceThe private key is generated and recorded on the chipWhen the PC is started. To use the chipcard, a pincode must be entered
Payment software + empty microship
Client’s bank
There is a logical (mathematical relation) between the private and the public key
Certification Authority (CA) delivers digital
certificate
The digital certificate is stored in a directory
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
22
Technologies de l’information et deLa communication
Data encryption - Isabel illustration/2Data encryption - Isabel illustration/2
User
Isabel Platform
Isabel’s network=
Belgian banks network
Isabel Platform
Isabel’s network=
Belgian banks network
User’s Banks
+
Software Interface
via
Checks his
AccountsAnd
Initiatespayments
Four characteristics to determine the security level of an electronic file:
Authentication: confirming the identity of parties involved in the transactionIntegrity: confirmation that the content of a message has not been alteredNon-repudiation: the signer can not deny the signing of the messageEncryption: allow the sender to encrypt the messages he wants to send in order to keep its content secret
These characteristics can only be conferred to an electronic file through Certification
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
23
Technologies de l’information et deLa communication
Introduction to epayments
Network security principles and concepts
B2C ePayments solutions
B2B ePayments solutions
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
24
Technologies de l’information et deLa communication
What do the Belgians buy online and where ?What do the Belgians buy online and where ?
Most frequent goods bought online are books, CDs, softwares, hardware, events tickets, transport tickets
More than one third of purchases are made on a foreign internet site. This has an impact on the payments methods used
Source : Belgian internet mapping – October 2000
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
25
Technologies de l’information et deLa communication
Which tools do the Belgians use to pay their online Which tools do the Belgians use to pay their online purchases ?purchases ?
One order out of two is paid by credit card. Use of edebit cards is limited at this stage
Remittance (eg virements) account for a significant share of payments, in particular for domestic purchases
Source : Belgian internet mapping – October 2000
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
26
Technologies de l’information et deLa communication
Retail Solutions: eDebit Card Retail Solutions: eDebit Card
2°)Choose your Banxafe payment sytem: Bancontact, Mister Cash, Visa, Mastercard
1°)Install your Banxafe terminal
Banxafe is the security label developed by Banksys to guarantee total reliability of bankcard payments over the Internet. This concept has already set a new standard for on-line payment security.
3°)Insert your Bancontact/ Mister Cash card In the terminal
4°)Type your secret code twice and confirm the amount of your purchasesYour payment is done!
PKI and digital signatureSecurity is achieved by a public key authentication applet. This applet is accessed by a banking PIN and generates a digital signature which is checked by a public key infrastructure certificate. The client uses a private key to sign his payments. Banksys has the corresponding public key and can authentify the identity of the sender
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
27
Technologies de l’information et deLa communication
BanxafeBanxafe
011010111011
Firewall
InternetEntity One (Business)
Entity Two (User)
Public Key Storage
Encrypts message hashwith user’s private key
ApplicationServer
Web Server
End User PC
AuthenticationServer
AuthenticationClient
Private Key
Computesmessage hash
X= [(y)*]
Certificate Authority
End User Signature
CertificateDirectory
Private Key
FirewallEntity One (Business)
Entity Two (User)
Public Key Storage
ApplicationServer
Web Server
End User PC
AuthenticationServer
AuthenticationClient
Private Key
Certificate Authority
End User Signature
UserCertificate
Internet
Private Key
CertificateDirectory
Digitally signing a message
Sending a digitally signed message
• An authentication applet will generate a message hash when the user inputs his PIN code
• The payment itself and the message hash are encrypted with a private key. The user certificate is sent with the encrypted transaction
• Certificates are issued and maintained by Banksys (Certificate Authority (CA)).
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
28
Technologies de l’information et deLa communication
BanxafeBanxafe
FirewallEntity One (Business)
Entity Two (User)
Public Key Storage
ApplicationServer
Web Server
End User PC
AuthenticationServer
AuthenticationClient
Private Key
Certificate Authority
End User Signature
UserCertificate
Internet
Private Key
CertificateDirectory
FirewallEntity One (Business)
Entity Two (User)
Public Key Storage
ApplicationServer
Web Server
End User PC
AuthenticationServer
AuthenticationClient
Private Key
Certificate Authority
End User Signature
UserCertificate
Internet
Private Key
CertificateDirectory
Validating a digitally signed message
Validating a certificate
• Banksys will receive the message and the end user’s certificate.
• Banksys is the CA and maintains a directory of authorized entities and their public keys. Based on the end user’s certificate, it will confirm or deny the validity of the certificate
• Banksys will decrypt the transaction with the corresponding public key
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
29
Technologies de l’information et deLa communication
Banksys overviewBanksys overview
Key facts and figures per business line
Founded in 1989 as a merger of Bancontact and Mister Cash
Consortium owned by 58 banks (Belgian or with subsidiary in Belgium)
Provider of integrated card-system to banking industry, traders, self-employed persons and card holders:
– Networking: managing Banknet, private IP network, with 25 mio transactions monthly
– Equipment: design, installation and maintenance of terminals Bancontact/Mister Cash, Proton(76.000)
– Customer services and support for Visa cards, due to take-over of activities (except sales) of Bank Card Company in 1999
Banknet accounts for International presence:– STEP, managing ATM-ETP activities in different European countries– Proton as the international standard of rechargeable wallets (34,5 mio
cards in 24 countries)– Terminal and card applications (C-Zam/Smash, solution for e-
commerce)– Banxafe as ultra secure payment solution for Credit card payment over
Internet
6 accountable units since 1999:– Customer services and support
– Networking
– Field service
– Operations
– Terminals and card applications
– Card transactions
Evolution of Ratios
Source : Annual report Banksys and Dun & Bradstreet
38%
15% 11%
44%
14% 12%
135%
53% 60%
87%
36% 42%
0%
20%
40%
60%
80%
100%
120%
140%
160%
98 99 00
Profit margin Return on assets Shareholders return Return on capital
• Net sales: € 211 mio• Operating Income: 24 mio• Net profit (after tax): € 13 mio• Employees: 1008
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
30
Technologies de l’information et deLa communication
Most common security configuration– Use of SSL for transport security– Use of digital signatures (via Digipass or a C-ZAM/PC terminal)
The Digipass looks like a “calculator”, but is a little electronic machine which generates a digital signature. This signature will allow the user to present himself to PC Banking, will “sign” the operations, … The Digipass is connected to the PC
The C-ZAM/PC terminal is a little machine provided with a keyboard, and connected to the PC. To login or sign operations in PC Banking, the user must introduce his bankcard in the terminal, and then type his usual secret code. Encryption of transaction
Internet Banking securityInternet Banking security
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
31
Technologies de l’information et deLa communication
Use of mPaymentsUse of mPayments
FACT: Customers will start using mobile devices to make payments
TelCo Payment Provider Bank
PKI and digital signatureSecurity is achieved by a public key authentication applet embedded in the SIM card. This applet is accessed by a PIN and generates a digital signature which is checked by a public key infrastructure certificate. The client uses a private key to sign his payments. The telco or a company like Banksys could have the corresponding public key and could authentify the identity of the sender
New actors emerge in the payments market
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
32
Technologies de l’information et deLa communication
eCash/Deutsche Bank illustrationeCash/Deutsche Bank illustration
Customer deposits money into an eCash-enabled account. The electronic money is stored into the bank’s system until the customer uploads the money on his personal system or makes a purchase by mobile device
Customer deposits money into an eCash-enabled account. The electronic money is stored into the bank’s system until the customer uploads the money on his personal system or makes a purchase by mobile device
Customer can choose from the following payment options:-Upload money from bank’s system onto personal system and e-mail eCash to vendor- Use a mobile device to transfer eCash to the vendor
Customer can choose from the following payment options:-Upload money from bank’s system onto personal system and e-mail eCash to vendor- Use a mobile device to transfer eCash to the vendor
Vendor needs to have an account with a bank supporting the eCash payment system. This bank will then convert eCash into a regular deposit on vendor’s bank account after it has verified the payer’s eCash account with the DB 24.
Vendor needs to have an account with a bank supporting the eCash payment system. This bank will then convert eCash into a regular deposit on vendor’s bank account after it has verified the payer’s eCash account with the DB 24.
Virtual wallet
Virtual pre-paid account is credited with credit card or electronic transfer and used for e-commerce/C2C payments. Enormous success of Paypal in the US based on e-mail payment procedure (12 million users. Volume : 200.000 payments/day. Value : 10 MUSD/day)
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
33
Technologies de l’information et deLa communication
Introduction to epayments
Network security principles and concepts
B2C ePayments solutions
B2B ePayments solutions
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
34
Technologies de l’information et deLa communication
Payment functionality for a B2B sitePayment functionality for a B2B site
eCommerce applications are often pre-enabled to use a vendor’s payment services application The payments services application has links with many payments networks Transfer of payments orders from the B2B site via the web or interface
ME
RC
HA
NT
INT
ER
NE
T
SW
IFT
Off the shelf ecommerce applications
Custom ecommerce application
Payments services
vendor site
Isa
be
lM
as
terc
ard
/E
uro
ca
rdB
an
ks
ys
Clearing House
$ $ $
INT
ER
FA
CE
Buyer’s bank
Seller’s bank
Services•Transaction reporting•Virtual terminal•Merchant configuration•Manual capture and settlement
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
35
Technologies de l’information et deLa communication
The value chain desegregates a firm into its strategically relevant activities
The eCommerce technologies and possibilities for interaction have an impact on the classic sale value chain by enriching it with two new factors of differentiation: content and context.
Content
• Information presented with text, graphics, sound and video, i.e. a product description in an on-line catalogue– Context:
• The context adapts and presents the content (useful for the one-to-one marketing), i.e. a catalogue where the content is customised with respect to a specific customer
The B2B eCommerce Value ChainThe B2B eCommerce Value Chain
The eCommerce value chain as an instance of the sale value chain
Post-SalePost-SaleSalePre-Sale Post-Sale
Post-SalePost-Sale SalePre-SaleContent
Context
Post-Sale
The classic sale value chain
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
36
Technologies de l’information et deLa communication
eCommerce value chaineCommerce value chain
Sellers: - Prepare market presence - Publish offerings - Bid in expressed demand - Respond to standard inquiries - Process orders - Confirm order - Acknowledge cancellation - Distribute goods - Issue invoice - Receive payment - Provide support
Buyers: - Investigate offerings - Publish need - Evaluate and select offers - Place order - Cancel order - Receive goods or services - Accept/non-accept goods - Receive invoice - Dispute (protest invoice,…) - Submit payment - Request support
These processes illustrate the typical interactions between buyers and sellers in trading relationships
The processes of the actors interact mutually through the services provided by intermediaries eCommerce intermediaries: actors enabling various eCommerce related activities
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
37
Technologies de l’information et deLa communication
Specific issues in eCommerce value chainSpecific issues in eCommerce value chain
MandatoryOptional
Sellers
Buyers
Post-SalePost-SaleSalePre-SaleContent
Context
Post-Sale
$ $ $
Identification and
non-repudiationAuthorizations
Integrity
Standardizedmessage
exchangesArchiving of transactions
Transaction andpayment closure
Electroniccontract
enforcement
Guarantees and financing
The transposition of The transposition of a B2B sales cyclea B2B sales cycle into a fully ‘electronic’ value chain context raises into a fully ‘electronic’ value chain context raises specific issues to be addressedspecific issues to be addressed
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
38
Technologies de l’information et deLa communication
The Roles of eCommerce IntermediariesThe Roles of eCommerce Intermediaries
In an eCommerce market place, a number of (new) intermediaries are assuming several responsibilities:– Certification Authority: an entrusted service by one or more entities to create and assign certificates, and to mange
the revocation of certificates
– Registration Authority: reliable services, which have the responsibility of registration and approval of users of certificates on behalf of the Certification Authority
– Transaction authorisation Authority: when a transaction is sent, the transaction authorisation authority checks if the amount being ordered is under the limit authorised, and takes the engagement to the receiving party
– Transaction tracing Authority: offers a proof-of-evidence of a particular transaction at an instance in time. Querying services can be provided to the buyer and seller. This can be extended with the association services of linking related transactions
– Transaction archiving Authority: archives and manages digital documents and other data for longs period of time
– Notarial Authority: notaries can provide their certification or digital signature to trading or other official documents
– Transaction translation Authority: facilitates the integration of systems by translating the output data of the sending system into a suitable format of the receiving system
– Network Services provider: ensures the network management and provides additional services directly related to the infrastructure
– Navigation Services provider: ensures the ease of navigation on the main areas of the platform
– Trusted security software provider: designs and implements trusted security solutions based on the platform’s standards
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
39
Technologies de l’information et deLa communication
The Intermediaries of eCommerceThe Intermediaries of eCommerce
All these service providers intermediaries are forming the middle layer in the model
Buyers
Sellers
Intermediaries
CertificationAuthority
RegistrationAuthority
TransactionAuthorisatio
nAuthority
TransactionTracing
Authority
TransactionArchivingAuthority
NotarialAuthority
Transaction Translation Authority
Network Services provider
Navigation Services provider
Trusted securitysoftware provider
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
40
Technologies de l’information et deLa communication
International considerationsInternational considerations
When actors with no previous business
relationship are involved in an ‘electronic’ value
chain at ‘e-speed’, trading communities are built
from scratch and use the power of a virtual network
(representing by the 4-corner model)
For this 4-corner model to operate efficiently, there
is a need for a community or industry wide
convention to agree on standards relating to
contracts, financing, delivery,…
Third party (e.g. Seller service provider)
$ $$
Buyer
Seller
Third party (e.g. Buyer service provider)
‘Trust’ Zone for Seller‘Trust’ Zone for Buyer
When virtual communities are created with overlapping trust zones, When virtual communities are created with overlapping trust zones, standardstandards and s and governance are needed to support the B2B sales cyclesgovernance are needed to support the B2B sales cycles
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
41
Technologies de l’information et deLa communication
Therefore, to enable trusted exchanges throughout the full Therefore, to enable trusted exchanges throughout the full electronic value chain involving many actors, the following electronic value chain involving many actors, the following
Trust Transaction Services need to be set upTrust Transaction Services need to be set up (1/2)(1/2)
$ $$
Seller
Buyer
Trust enablement through the Trust Transaction Services
Transactions Value-addedServices
Roles and Rules
Seller Bank
Buyer Bank
Registration
Identification
Transactional Support
Administration
Trusted Third Party Trusted Third Party
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
42
Technologies de l’information et deLa communication
Therefore, to enable trusted exchanges throughout the full Therefore, to enable trusted exchanges throughout the full electronic value chain involving many actors, the following electronic value chain involving many actors, the following
Trust Transaction Services need to be set upTrust Transaction Services need to be set up (2/2)(2/2)
Trust enablement through the Trust Transaction ServicesRegistration -Enrollment
-Registration-Certification
Identification -Authentication-Warranty (Insurance of identify)
Roles and Rules-Organization and roles-Authorization and Privileges-Policies
-SLA/OLA-Revocation
Transactions-Selection and execution of transactions-Fulfilment of order process-Settlement of payment
Value-Added Services-Reputation services (e.g. creditworthiness)-Financing -Warranty/insurance of settlement, quality, timely delivery,etc-Notary Services
Transactional Support
-Standards and protocols-Integrity and non-repudiation-Privacy and confidentiality
Administration -Trusted archiving and logging-Dispute resolution-Montoring, measurement and management
-Integrity-Compliance auditing
Seller Seller Bank
$ $ $$ $ $
Buyer Buyer Bank
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
43
Technologies de l’information et deLa communication
Traditional economic actors and new entrants are starting to Traditional economic actors and new entrants are starting to provide fragmented and piece-wise Trust Transactions provide fragmented and piece-wise Trust Transactions
Services (1/2) Services (1/2)
Financial institutions:• Registration and identification (strong security level)
• Transactions – Settlement of payment
•Value-Added Services – Reputation services (off-line)
• Value-Added Services – Financing (off-line)
• Privacy and confidentiality
$ $ $$ $ $
Seller
Buyer
Trust enablement through the Trust Transaction Services
Transactions Value-addedServices
Roles andRules
Seller Bank
Buyer Bank
Registration
Identification
Transactional Support
Administration
Trusted Third Party Trusted Third Party
Standardization bodies:• Transactional support – Standards and protocols
• Transactional support – Compliance auditing
• Roles and Rules - Policies
Secured Infrastructure Providers:• Registration and identification
• Value-Added Services – Warranty/insurance
• Value-Added Services – Notary services
• Transactional support – Integrity and non-repudiation
• Administration
Marketplaces:• Registration and identification (low security level)
• Roles and Rules
• Transactions – Bid/Order/Buy/Sell
• Transactions – Settlement of payment
• Transactional support – Standards and
protocols
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
44
Technologies de l’information et deLa communication
Traditional economic actors and new entrants are starting to Traditional economic actors and new entrants are starting to provide fragmented and piece-wise Trust Transactions provide fragmented and piece-wise Trust Transactions
Services (2/2)Services (2/2)
Financial institutions:• Registration and identification
– Corporate customers of Belgian banks with Isabel
– ABN-AMRO, Deutsche Bank and Allianz (via
HypoVereinsbank) started using Identrus-based
certificates to secure new applications
• Transactions
– Barclays B2B.com UK first purchase-to-payment portal
to cover entire B2B trading chain
– Dresdner Bank Europe’s first transactional financial
portal to offer corporates online banking, risk
management and transaction services Standardization bodies:• S.W.I.F.T. with Bolero have released 65 XML document
definitions as used in international trade (e.g. commercial,
documentary credit, customs) to be transported through the
secured S.W.I.F.T. /TrustAct infrastructure
• Identrus has defined a industry standard for digital certificates, a
payment initiation application and a contractual framework that
regulates their usage
• E.U. passed a directive on 19 January 2000 making digital
signatures equivalent to paper based signatures
Secured Infrastructure Providers:• S.W.I.F.T. with TrustAct is a secured Internet-based messaging
service with non-repudiation and identification based on
Identrus certificates
• Isabel provides proprietary certificates and a secured
messaging service to all corporate customers of the Belgian
banks (more than 45,000 companies)
• Government sponsored bodies such as the Spanish Mint
provide all citizens with a digital certificate and signature
Marketplaces:• ‘Industry-centered’ (industry consortia or independent) or
‘company-centered’
• Focus on seamless procurement and supply chain
integration
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
45
Technologies de l’information et deLa communication
IdentrusIdentrus
Contracts & Procedures
Seller(Relying Party)
Client AppClient App Business to Business
Interactions
Identrus
PurchasingManager
(Certificate Holder)
Certificate Authority
Risk ManagementModule
OCSP Responder& Repository
TransactionCoordinator
Certificate Authority
Risk ManagementModule
OCSP Responder& Repository
TransactionCoordinator
Root Certificate Authority (CA)
Issuing Participant Relying Participant
Subscribing Customer
Relying Customer
Root CA
Transaction Coordinator
Risk Mgmt Module
OCSP Resp. & Repository
System-wide roles & responsibilities
Online Certification Service Provider: check
banks’ certificates + yellow page
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
46
Technologies de l’information et deLa communication
IdentrusIdentrus
• Identrus was created in April ’99. It acts as Root Certification Authority (CA) amongst the different public key infrastructures (PKI) of the banks set-up across the world, ensuring their inter-operability.
• Identrus uses the “four-corner” model among the Buyer, the Seller, and their respective banks to allow these banks to provide trusted eCommerce services
• Payments, Warranty of identity and of settlement, Letters of credit, Commercial paper, Credits, Creditworthiness, Secure Mail and intermediation, …
• Identrus and Swift have recently announced an alliance whereby Swift will operate a trusted and value added network for B2B exchanges based on the Identrus model and trust tree
• A number of the original Identrus founding banks are working on the Eleanor project, jointly defining new global standards for B2B ePayments and market place facilities
$
Buyer‘s Identrus Bank
$ $$
Buyer Seller
Identrus Root CA
$
Seller‘s Identrus Bank
Figure 1
B2B Commerce
Its 30 to 40 shareholder banks includeABN AmroANZ Banking GroupBank of AmericaBarclays BankBNP ParibasBSCHCIBCChase Manahattan BankCitigroupCrédit Agricole de France
CommerzbankDeutsche BankDresdner BankHSBC GroupHypo VereinsbankIndustrial Bank of Japan (IBJ)NatWest Group - RB of ScotlandSanwa BankScotiabankSociété GénéraleWells Fargo
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
47
Technologies de l’information et deLa communication
TrustAct - SWIFTTrustAct - SWIFT
How the service works Two businesses having subscribed to the e-trust service from their respective financial institutions. Using TrustAct, businesses can validate their trading partners' certificates and have complete assurance of the identity of the other trading party
1. The buyer browses the seller's catalogue.
2. The seller wants identity assurance and requests the buyer to forward a signed commercial document to TrustAct together with a certificate from the buyer's financial institution.
3. TrustAct performs a basic validation of the certificate and requests the respective financial institutions to validate the identity of their business. TrustAct also checks with Identrus to ensure that both institutions are scheme members.
4. TrustAct relays the assured order to the seller who now has an order that can be relied upon.
5. The seller returns a signed receipt to the buyer, via TrustAct, who now has an assured receipt that can be relied upon.
6. TrustAct records and maintains time-stamped records of all messages received by the TrustAct server.
SWIFT and Identrus™ LLC have entered into an alliance to offer a joint solution to facilitate business-to-business (B2B) trusted communication (based on Identrus' identity trust services and SWIFT's messaging capability.
V.1.1 Solvay Business School
Technologies de l’information et deLa communication
48
Technologies de l’information et deLa communication
SWIFT overview SWIFT overview
• Swift (Society for Worldwide Interbank Financial Telecommunication), located in Brussels, is a cooperative society owned by 239 member banks and financial institutions (founded in 1974)
• Offices in 25 locations worldwide• Employees : 1,800 (of which 1,000 in Belgium)• Geographic spread : Europe accounts for 2/3rd of revenues
• US #1• UK #2• Germany #3• France #4• Belgium #5
Business include• Financial messaging
• Payments• Securities• Treasury• Trade finance
• E services• TrustAct (Identrus)
Swift statistics YTD 08 2001
Traffic
# messages YTD 082001 987,617,134
# messages 2000 1,274,000,000
Message growth YTD 16,42%
Average daily traffic 5,868,194
FIN Availability
FIN Systems 100%
Transport network 99.995%
Overall service 99.995%
Customer base
Live countries 193
Live members 2,268
Live sub members 3,054
Live participants 1,901
Total live users 7,223